1. Not all SQL statements are parameterizable (dynamic identifiers vs literals)
2. Stopping SQL injection doesn't stop Insecure Direct Object References
3. Developers make mistakes
4. Plugins are a risk (example: http://www.zdnet.com/article/over-1-million-wordpress-websit...)
For parameterization to work you need to be perfect, always. My suggestions are for when someone else fucks up.
1. Not all SQL statements are parameterizable (dynamic identifiers vs literals)
2. Stopping SQL injection doesn't stop Insecure Direct Object References
3. Developers make mistakes
4. Plugins are a risk (example: http://www.zdnet.com/article/over-1-million-wordpress-websit...)
For parameterization to work you need to be perfect, always. My suggestions are for when someone else fucks up.